IO ERROR's Journal: How not to secure your wireless access point

If you bought one of those shiny new 802.11{abg} access points so you could be lazy and use your laptop in bed without a bunch of cords dangling all over the place, you have a decision to make. Do you want your neighbors and random strangers using your Internet connection?

If you decide you don't want other people using your connection, then don't do these things:

• Hide your SSID. Your access point will broadcast it anyway whenever your computer associates, and if you're using Windows XP then it associates every few seconds.
• Use MAC filtering. Your access point will broadcast valid MAC addresses whenever those stations are in use, and anybody can pick those up and change their MAC address to match yours.
• Use WEP. It's easy enough to crack that anybody listening can recover your WEP key in a fairly short time if you actually use your wireless connection for anything.
• Use a Microsoft access point. Microsoft access points will gladly send their WEP key to anybody who asks, making WEP completely useless.
• Use LEAP. It is based on Microsoft CHAP and a poor implementation at that. It's easy to crack.

Hm, what's the point of enabling all that security if it's so easy to get around? Here are some other things you might try:

• Turn off the access point's DHCP server. Won't do you much good, since somebody can just "borrow" your IP address when you aren't using it or use an unused IP address in your subnet.
• Reorient the access point's antenna. Then you'll just have the people on the other side of your apartment using it.

Hm, you may as well just take the damn thing back and get a refund, and suffer the Ethernet cord.

Or, just avoid the issue entirely.

[cyt0plas]

Why secure the access point? Set it to it's lowest bandwidth connection (to help prevent people saturating your connection), and enjoy the plausable deniability. If you are ever taken to court (copyright infringment/hacking/whatever), you can claim it was some wardriver.

Securing Wireless

[Doctor O]

Hope you don't mind a question - I haven't gotten into wireless by now because I had the impression that it's not securable anyway. Your JE seems to second that, at least I don't read anything to the contrary.

Tell me, and this is not a troll, can wireless be secured at all? People around me start using it (even though they're suspicious, because I don't) and it would be nice to be able to reply "it cannot be secured" in addition to my "I don't know about wireless, leave me alone". ;)

Executive Summary Re:Securing Wireless

[IO ERROR]

I've heard of one person who put a firewall/VPN in front of their wireless AP, and in order to access the net at all when using the wireless connection, you have to VPN into the firewall. That's about the only thing I know of that would really work.

Aside from that, hiding your SSID is useless, MAC filtering isn't much better, and WEP, while useful, isn't as secure as it should be. Cisco's LEAP got hacked, and EAP/TLS isn't common enough yet. And you won't find those last two on a residential AP anyway.

Re:Executive Summary Re:Securing Wireless

[Doctor O]

Thanks for the clarification. Seems as if I haven't missed anything, the setup you describe would be a nice thing though. But I guess one would have to restrict usage of the Internet connection, too - I don't want to have people run their eMule or l33t scripts through my connection.